SSO Server

CORS with authentication enabled

Resources that require to authenticate the user via Authentication header are by default allowed for all origins. How to restrict allowed origins, see Restricting allowed origins for CORS.

Access-Control-Allow-Headers: Authorization
Access-Control-Expose-Headers: WWW-Authenticate
Access-Control-Allow-Methods: GET, POST
Access-Control-Allow-Origin: *

Endpoint

Description

/uas/oauth2/token
/uas/oauth2/userinfo
/uas/oauth2/introspection
/uas/oauth2/revocation

OAuth 2.0 and OpenID Connect 1.0 protocol endpoints

Cannot use client_secret_basic client credentials, other client credentials types are possible

Authorization endpoint is not CORS enabled

CORS with credentials enabled

Resources that require to authenticate the user with credentials are by default allowed for all origins. How to restrict allowed origins, see Restricting allowed origins for CORS.

Access-Control-Allow-Credentials: true
Access-Control-Allow-Methods: GET, POST
Access-Control-Allow-Origin: *

Endpoint	Description
/uas/refresh/*	The session refresh endpoint

CORS enabled

Access-Control-Allow-Methods: GET, POST
Access-Control-Allow-Origin: *

Endpoint

Description

/uas/saml2/metadata.xml

/uas/wsf/FederationMetadata.xml

/uas/.well-known/*
/uas/oauth2/metadata.json
/uas/oauth2/metadata.jwks

Metadata endpoints for SAML 2.0, WS-Federation, OAuth 2.0 and OpenID Connect 1.0

/uas/discovery/*
/uas/template/*
/uas/resource/*

Discovery and Template API

/uas/status
/uas/ping

Status endpoints

CORS disabled

For any other SSO Server endpoints, all CORS requests are blocked.

Password

All CORS requests are blocked.

Management Console

All CORS requests are blocked.

Troubleshooting

You can verify the CORS configuration from the diagnostic logs, see Diag log description:

set debug level for INIT for basic filter setup
set debug level for com.ubisecure.util.filter.CorsFilter for more details

References

http://www.w3.org/TR/cors/

Browser not supported